The Three Exceptions to a HIPAA Breach
Many people have a “better safe than sorry” mentality when it comes to privacy and breaches. Similar to how doctors, nurses, and technicians often considered incidental disclosures to be privacy violations, many privacy officers consider any impermissible disclosure to be a breach. However, there are three exceptions to a breach that all staff members should be aware of.
1. Unintentional Acquisition, Access, or Use
The first exception to a breach is when an employee unintentionally acquires, accesses, or uses protected health information (PHI) in good faith within the scope of their authority, and the PHI is not further used or disclosed in a manner not permitted by the rule. For example, a technician might accidentally open the wrong patient chart. However, if the technician opened the chart to snoop, she is acting deliberately and not in good faith. Also, the unintentional access must be while the technician is carrying out her authorized duties.
However, if the technician shares the PHI she accidentally saw in an unallowable way, such as gossiping, then this is a breach. Nevertheless, she can further disclose the information if it’s used for the patient’s treatment. In this case, the exception applies.
2. Inadvertent Disclosure to Authorized Person
The second exception to a breach is when a person authorized to access PHI accidentally shares PHI with another authorized person at the same organization, and PHI is not further disclosed in a manner not permitted by the rule. For example, a nurse emails the wrong lab results to a doctor, and the doctor tells him that it’s the wrong file and deletes the email. Therefore, since the disclosure was inadvertent, both the nurse and the doctor are authorized to access PHI, they both work at the same hospital, and the doctor didn’t further share the information, the exception applies.
3. Inability to Retain PHI
The third exception is when an organization disclosing PHI believes in good faith that the unauthorized person receiving the information wouldn’t have been able to retain it. For example, a clinic mails explanation of benefits (EOBs) letters to the wrong people, and the post office returns some of the letters unopened. Most likely, the addressees didn’t see or retain the information inside the envelopes, so the exception applies. However, the EOBs that weren’t returned should be treated as potential breaches.
The key for this exception is whether or not the unauthorized person is able to retain the information. For example, a pharmacy may hand out the wrong prescription, and the patient returns the prescription before leaving the building. In this case, the pharmacy can make an on-the-spot assessment as to whether the patient was able to retain any of the other patient’s information, such as their name or date of birth.
HIPAA Breach Risk Assessment
Human errors are common, and not all disclosure errors threaten the privacy of PHI. If every impermissible disclosure was treated as a breach, health care would be gridlocked. Therefore, the HIPAA privacy rule allows these three exceptions to a breach.
Next time a potential breach comes to light, don’t jump to conclusions. First, gather all the facts and see whether or not an exception applies. If one does, document the incident and the exception you applied and keep it on record. If none of the exceptions apply, conduct the four-factor breach assessment to determine the risk level.
Inside the HIPAAtrek software, you can log all security incidents and determine whether or not an incident was a breach through the built-in Breach Risk Assessment Tool. Request a demo or contact us at firstname.lastname@example.org.